wanopt : profile
WAN optimization uses profiles to select traffic to be optimized. But, before WAN optimization can accept traffic, the traffic must be accepted by a FortiGate firewall policy. All sessions accepted by a firewall policy that also match a WAN optimization profile are processed by WAN optimization.
To configure WAN optimization you add WAN optimization profiles to the FortiGate units at each end of the tunnel. Firewall policies use the specified WAN optimization profile to determine how to optimize the traffic over the WAN.
The FortiGate unit applies firewall policies to packets before WAN optimization profiles. A WAN optimization profile is applied to a packet only after the packet is accepted by a firewall policy.
config wanopt profile
edit <name_str>
set auth-group <auth_group_name>
set transparent {enable | disable}
config {cifs | ftp | http | mapi | tcp}
set byte-caching {enable | disable}
set byte-caching-opt {mem‑only | mem‑disk}
set log-traffic {enable | disable}
set port <port_int>[-<port-int>]
set prefer-chunking {fix | dynamic}
set secure-tunnel {enable | disable}
set ssl {enable | disable}
set status {enable | disable}
set tunnel-non-http {enable | disable}
set tunnel-sharing {express-shared | private | shared}
set unknown-http-version {best‑effort | reject | tunnel}
edit <name_str>
Enter a name for this profile.
auth-group <auth_group_name>
Select an authentication group to be used by this profile. Select an authentication group if you want the client and server FortiGate units that use this profile to authenticate with each other before starting a WAN optimization tunnel.
You must add the same authentication group to the client and server FortiGate units. The authentication group should have the same name of both FortiGate units and use the same pre-shared key or the same certificate.
You can add an authentication group to profiles with auto‑detect set to off or active. An authentication group is required if you enable secure-tunnel for the profile.
transparent {enable | disable}
Enable or disable transparent mode for this profile.
If you enable transparent mode, WAN optimization keeps the original source address of the packets, so servers appear to receive traffic directly from clients. Routing on the server network should be able to route traffic with client IP addresses to the FortiGate unit.
If you do not select transparent mode, the source address of the packets received by servers is changed to the address of the FortiGate unit interface. So servers appear to receive packets from the FortiGate unit. Routing on the server network is simpler in this case because client addresses are not involved, but the server sees all traffic as coming from the FortiGate unit and not from individual clients.
config {cifs | ftp | http | mapi | tcp} fields
byte-caching {enable | disable}
Enable or disable WAN optimization byte caching for the traffic accepted by this profile. Byte caching is a WAN optimization technique that reduces the amount of data that has to be transmitted across a WAN by caching file data to serve it later as required. Byte caching is available for all protocols.
For TCP, disable
For all others, enable
byte-caching-opt {mem‑only | mem‑disk}
Select whether byte-caching optimization uses only memory or both memory and disk. This is available for TCP only.
log-traffic {enable | disable}
Enable of disable traffic logging.
port <port_int>[-<port-int>]
Enter a single port number or port number range for the profile. Only packets whose destination port number matches this port number or port number range will be accepted by and subject to this profile.
prefer-chunking {fix | dynamic}
Select dynamic or fixed data chunking. Dynamic data chunking helps to detect persistent data chunks in a changed file or in an embedded unknown protocol.
prefer-chunking is not available for TCP and MAPI.
For TCP, if byte-caching-opt is mem-disk, chunking algorithm will be dynamic. For MAPI, only dynamic is used. For other protocols, fix is the default.
Depends on protocol.
secure-tunnel {enable | disable}
Enable or disable using AES-128bit-CBC SSL to encrypt and secure the traffic in the WAN optimization tunnel. The FortiGate units use FortiASIC acceleration to accelerate SSL decryption and encryption of the secure tunnel. The secure tunnel uses the same TCP port as a non-secure tunnel (TCP port 7810).
You can configure secure-tunnel if auto-detect is set to active or off. If you enable secure-tunnel you must also add an auth-group to the profile.
ssl {enable | disable}
Enable or disable applying SSL offloading for HTTPS traffic. You use SSL offloading to offload SSL encryption and decryption from one or more HTTP servers. If you enable ssl, you should configure the profile to accept SSL‑encrypted traffic, usually by configuring the profile to accept HTTPS traffic by setting port to 443.
If you enable SSL you must also use the config wanopt ssl‑server command to add an SSL server for each HTTP server that you wan to offload SSL encryption/decryption for. See wanopt ssl-server.
You can configure ssl if auto-detect is set to active or off.
status {enable | disable}
Enable or disable the profile.
tunnel-non-http {enable | disable}
Configure how to process non-HTTP traffic when a profile configured to accept and optimize HTTP traffic accepts a non-HTTP session. This can occur if an application sends non-HTTP traffic using an HTTP destination port.
Select disable to drop or tear down non-HTTP sessions accepted by the profile.
Select enable to pass non-HTTP sessions through the tunnel without applying protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied to non-HTTP sessions.
You can configure tunnel-non-http if proto is set to http and auto-detect is set to active or off.
tunnel-sharing {express-shared | private | shared}
Select the tunnel sharing mode for this profile:
Select express-shared for profiles that accept interactive protocols such as Telnet.
Select private for profiles that accept aggressive protocols such as HTTP and FTP so that these aggressive protocols do not share tunnels with less-aggressive protocols.
Select shared for profiles that accept non-aggressive and non-interactive protocols.
You can configure tunnel sharing if proto is set to http and auto-detect is set to off.
unknown-http-version {best‑effort | reject | tunnel}
Unknown HTTP sessions are HTTP sessions that don’t comply with HTTP 0.9, 1.0, or 1.1. Configure unknown-http-version to specify how a profile handles HTTP traffic that does not comply with HTTP 0.9, 1.0, or 1.1.
Select best-effort to assume all HTTP sessions accepted by the profile comply with HTTP 0.9, 1.0, or 1.1. If a session uses a different HTTP version, WAN optimization may not parse it correctly. As a result the FortiGate unit may stop forwarding the session and the connection may be lost.
Select reject to reject or tear down HTTP sessions that do not use HTTP 0.9, 1.0, or 1.1.
Select tunnel to pass HTTP traffic that does not use HTTP 0.9, 1.0, or 1.1 without applying HTTP protocol optimization, byte-caching, or web caching. TCP protocol optimization is applied to this HTTP traffic.
You can configure unknown-http-version if proto is set to http and auto-detect is set to active or off.